Marc Frankel

So for your developers who are generating new software applications on the back end in the CICD pipeline, we are automating every time they hit build or every time they hit push or publish or whatever, it generates, it stamps out a new SBOM and that SBOM flows into the manifest platform. So in an ideal world, no human hands touch this artifact.

So for your developers who are generating new software applications on the back end in the CICD pipeline, we are automating every time they hit build or every time they hit push or publish or whatever, it generates, it stamps out a new SBOM and that SBOM flows into the manifest platform. So in an ideal world, no human hands touch this artifact.

And yet you ended up with an inventory of every third party open source proprietary component that went into the piece of software that they developed. That's step one. Step two is requiring SBOMs from your vendors. And here we've developed this SBOM outreach playbook, which, by the way, it's not like, you know, a proprietary thing that you have to go to Barnes and Noble and spend $50 on.

And yet you ended up with an inventory of every third party open source proprietary component that went into the piece of software that they developed. That's step one. Step two is requiring SBOMs from your vendors. And here we've developed this SBOM outreach playbook, which, by the way, it's not like, you know, a proprietary thing that you have to go to Barnes and Noble and spend $50 on.

Anybody who's listening, if you want it, we'll give it to you. We're all fighting the same fight of pushing for software spot chain transparency. I'll drop it in the show notes, the link to it. There you go. What we realized was that meaningful hurdle to deploying an SBOM requirement to third parties was all the administrivia that surrounded it. What's the contract language that we put in an MSA?

Anybody who's listening, if you want it, we'll give it to you. We're all fighting the same fight of pushing for software spot chain transparency. I'll drop it in the show notes, the link to it. There you go. What we realized was that meaningful hurdle to deploying an SBOM requirement to third parties was all the administrivia that surrounded it. What's the contract language that we put in an MSA?

What's the one trust question that we add to our survey? What's the email that we write to our vendors explaining what it is we need and how we need it? What's the follow up email? And so we've just created more or less like Mad Libs templates.

What's the one trust question that we add to our survey? What's the email that we write to our vendors explaining what it is we need and how we need it? What's the follow up email? And so we've just created more or less like Mad Libs templates.

You know, it's like, you know, dear vendor name, Enterprise is requiring SBOMs because we are concerned about, you know, software supply chain visibility. You have blank many days, you know, and it's almost like Mad Libs. Try not to put in, you know, all the things that you would have put in the back of like, you know, your fifth grade bus ride home when you were doing Mad Libs.

You know, it's like, you know, dear vendor name, Enterprise is requiring SBOMs because we are concerned about, you know, software supply chain visibility. You have blank many days, you know, and it's almost like Mad Libs. Try not to put in, you know, all the things that you would have put in the back of like, you know, your fifth grade bus ride home when you were doing Mad Libs.

But the idea is to- I mean, you could, but- You could. You'd probably be in big trouble. You would, yeah, yeah. Dear Bozo. Yeah, no. Uh- But the idea is to templatize this as much as we possibly can to make this the first customer that we ever had who required SBOMs. We needed to generate all of this from scratch. Every one of our customers thereafter ought to be able to build.

But the idea is to- I mean, you could, but- You could. You'd probably be in big trouble. You would, yeah, yeah. Dear Bozo. Yeah, no. Uh- But the idea is to templatize this as much as we possibly can to make this the first customer that we ever had who required SBOMs. We needed to generate all of this from scratch. Every one of our customers thereafter ought to be able to build.

So we've templatized the process of requiring SBOMs from your vendors. We even built a capability in our platform that we call Ask. to solicit SBOMs. If you know your vendor's email address, we'll take care of the rest. And then once you are generating SBOMs for your internal applications and requiring SBOMs from your third party vendors, we are automating the analysis, right?

So we've templatized the process of requiring SBOMs from your vendors. We even built a capability in our platform that we call Ask. to solicit SBOMs. If you know your vendor's email address, we'll take care of the rest. And then once you are generating SBOMs for your internal applications and requiring SBOMs from your third party vendors, we are automating the analysis, right?

So you're still not touching The JSON file, we are comparing it to leading vulnerability databases, the NBDs, the OSBs, the EPSSs and the KEBs of the world to analyze this. Some cases really the luminous JSON file to say, hey, here's where they have a component that matches a known software vulnerability.

So you're still not touching The JSON file, we are comparing it to leading vulnerability databases, the NBDs, the OSBs, the EPSSs and the KEBs of the world to analyze this. Some cases really the luminous JSON file to say, hey, here's where they have a component that matches a known software vulnerability.

And then we are contextualizing that to tell you these are the ones that have been proven to be exploitable or these are the ones that are likely to be exploitable. And these are the ones that you probably don't really need to care about. And so we give you a walk-up usable view of how good or bad should you feel about this SBOM in human consumable language.

And then we are contextualizing that to tell you these are the ones that have been proven to be exploitable or these are the ones that are likely to be exploitable. And these are the ones that you probably don't really need to care about. And so we give you a walk-up usable view of how good or bad should you feel about this SBOM in human consumable language.

And all of that is in service of the next time there's a log for Shell or SolarWinds or Apache Struts or whatever, you're one click away from understanding which of my vendors and which of my software applications are affected as opposed to 50,000 hair on fire phone calls.

And all of that is in service of the next time there's a log for Shell or SolarWinds or Apache Struts or whatever, you're one click away from understanding which of my vendors and which of my software applications are affected as opposed to 50,000 hair on fire phone calls.